BESS Asset Owners Must Prep for Cyber Threats
Predicted phenomenal growth of BESS
Energy storage is an increasingly key component of the transition to a low-carbon economy. It enables the integration of renewable energy sources, improves grid reliability and stability, and provides backup power in case of emergencies.
Battery energy storage installations around the world are projected to reach a cumulative 411 GW - or 1,194 GWh - by the end of 2030. That is 15 times the 27GW/56GWh of storage that was online at the end of 2021.
Matching growth in cyber-attacks in the Power sector
It is universally acknowledged that we live in uncertain times due to geo-political upheavals and an increasing number of cyber-attacks on businesses and individuals. In recent years, a number of cyber-attacks have targeted power and renewable energy companies around the world. Some of these attacks such as ransomware or theft of data are motivated by financial gain, others are sabotage or espionage driven by political or ideological agendas. Not surprisingly therefore, cyber security is increasingly high on the boardroom agenda of every company, especially those operating in the battery storage and wider renewable energy sectors. One recent and major cyber-attack incident occurred in April 2022, when three Germany-based wind-energy companies were hit by cyber-attacks that disrupted their remote-control systems for thousands of wind turbines. Other examples include leaked data from India's main power company by Hive Ransomware Group in 2022, a ransomware hit on a Luxembourg energy supplier (also in the same year) which threatened to leak 150 gigabytes of sensitive information, and data theft from a major wind operator in 2021.
Operational and Information Technology complexities causing vulnerability
As battery energy storage systems (BESS) and renewable energy increasingly become part of countries’ critical national infrastructure (CNI), cyber security for their systems must be a priority. However, because of complex and often ‘invisible’ vulnerabilities, cyber security is a challenging issue for asset owners to address. Unfortunately, the risks of cyber-attacks are multifaceted. The nature of the current digital evolution across the renewable energy sector makes operational technologies (OT), which monitor and control BESS physical processes, more connected than ever before. OT systems are often connected to information technologies (IT) for data collection, analysis, and remote management, which creates a complex and often hard-to-see attack surface for malicious actors. However, cyber security for OT is playing catch-up with IT; many OT systems are not designed with cyber security in mind and lack basic protections. Moreover, OT systems often fall outside the scope of enterprise cyber risk management, making them ‘invisible’ to IT teams. This vulnerability has already been exploited in the power sector, such as in the 2020 ransomware attack on a US natural gas facility, when the attacker was able to exploit OT vulnerabilities, having secured access via an IT intrusion.
(image courtesy https-//www.researchgate.net/publication/360784464)
Specific BESS vulnerabilities
Battery management systems (BMSs) have a key role in maintaining the battery cells’ physical integrity. The SCOR Stationary Battery Energy Storage Systems Handbook 2022 describes in detail a key vulnerability: “Due to their higher specific energy density and a greater sensitivity to electrical and environmental abuse, lithium-ion batteries need to be effectively managed with a BMS. When improperly managed, a lithium-ion battery will easily reach a ‘thermal runaway’ state because it has a low cell resistance and high energy storage capacity”.
This need for a continuous active control is a major weakness if the BMS can be interfered with externally.
Wider impact from attacks
Utility scale BESS are more and more often designed to provide grid stability in particular nodes of the power networks, generally by means of applications such as frequency response or synthetic inertia. In these systems, the BMSs are integrated with the BESS control and monitoring, as well as with electricity markets real time data and the utility’s corporate network. This interconnection between data domains and the BESS intrinsic physical capabilities can be exploited to cause harm by inducing system instability and potentially wide area blackouts.
Cyber causing physical damage
A threat actor who compromises a BMS could violate operational constraints, making changes to the battery’s charge, temperature, degradation or operation. They could also disable protection mechanisms, cause damage or malfunction, induce power grid instability, or modify readings to impair monitoring accuracy. Stored energy has inherent safety risks (gassing, fire, toxic chemicals) and therefore, the risk of causing considerable physical damage becomes very real.
Insurer exclusions
Unfortunately, many in the sector underestimate the extent to which physical damage can be caused by cyber-attacks. The potential physical losses described above can be excluded from operational property damage insurance cover should they be the result of a cyber-attack, so it is important to check policy wordings. Asset owners therefore may need to consider how they can fill the gap in cover and explore separate insurance coverage solutions for cyber-related property damage exposures.
New Cyber Property Damage Insurance Solution
Fortunately, the insurance market is dynamic. Both Cyber and Property insurers are addressing the potential gap in coverage, despite the increasing risk and geo-political environment. In fact, a new Cyber Property Damage product has recently been launched by Aon, with the backing of London market insurance capacity to protect against this increasing vulnerability. Property Damage and ensuing Business Interruption can be covered for losses triggered by a malicious cyber act up to $50M (with additional capacity available if required) and could be an essential protection of the balance sheet.
Taking steps to mitigate risks
BESS owners in particular should understand their vulnerabilities and potential exposure to cyber-attacks, along with the consequential loss of revenue and potential lack of insurance protection thanks to onerous cyber exclusions in their policy wordings. Owners should take steps now to reinforce their cyber security strategies, before a major cyber-attack impacts the sector, and specifically their business. Businesses may benefit by following a model known as ‘The Cyber Loop’, a circular and iterative cyber security strategy that builds long-term resilience by assessing the size of the risk, building resilience and mitigating the impact, transferring the risk away from the balance sheet where possible, and being able to drive operational and financial loss recovery.
Energy storage systems are an increasingly important part of the energy mix but with this increased presence comes unwanted attention from threat actors. The solution is to be prepared, understand the exposures, and protect the balance sheet where possible.
Adam Piper is Executive Director Power and Renewables Industry – Global Broking Centre – Aon at Aon LLC, a global professional services and management consulting firm that exists to shape decisions for the better, to protect and enrich the lives of people around the world. Our colleagues provide our clients in over 120 countries and sovereignties with advice and solutions that give them the clarity and confidence to make better decisions to protect and grow their business.
Aon | www.aon.com
Author: Adam Piper, ACII
Volume: 2023 November/December